Start to replace MD5 soon

SSL certificates are usually signed by a Certification Authority using a cryptographic hash function like MD5. An international team of researchers has carried out an attack on MD5 using a cluster of 200 Playstation 3 systems. They managed to abuse the signature of a Certification Authority to sign their own certificate in only two days time. As this Certification Authority is known by any browser, the certificate was accepted as trustworthy by them.

The attack method was a collision attack. The idea is to create other input texts with the same MD5 result. These kind of attacks are not new, but they have become much more feasible. Nevertheless there is no immediate danger and no reason to panic. But the attack showed that it is possible to crack MD5 and thus you can start to replace MD5 now. Make sure your SSL and SSH aren’t signed using MD5, but with SHA-1. Although there have been attacks on SHA-1 too, these attacks have no practical relevance, yet.

The original article at the H Security provides a more detailed description of the attack and a FAQ.